SecureVibes – AI Tool Detects Vulnerabilities In 11 Languages Using Claude AI Agents

In the era of “vibecoding,” where developers leverage AI to prototype applications rapidly, security often takes a back seat to speed.

Enter SecureVibes, an innovative open-source tool released in October 2025 by developer Anshuman Bhartiya, designed to bridge this gap.

Built on Anthropic’s Claude AI, SecureVibes employs a multi-agent architecture to autonomously scan codebases for vulnerabilities, providing context-aware analysis that traditional static application security testing (SAST) tools struggle to match.

This Python-based scanner supports 11 programming languages, making it ideal for polyglot projects, and delivers detailed reports with remediation suggestions, all while keeping costs low at around $2-3 per scan using the Sonnet model.​

Multi-Agent Architecture: Collaborative AI For Threat Detection

SecureVibes stands out through its proper agent-based system, where five specialized Claude AI agents collaborate like a virtual security team, orchestrating tasks autonomously without rigid scripting.

The process begins with the Assessment Agent, which maps the codebase architecture by analyzing dependencies, data flows, and potential entry points, outputting a SECURITY.md file for documentation.

Building on this, the Threat Modeling Agent applies the STRIDE framework covering Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege to identify 20-30 potential threats per project, generating a THREAT_MODEL.

The Code Review Agent then dives deeper, using security thinking methodologies to validate threats against actual code, pinpointing issues like unauthenticated access or XSS with precise file paths and line numbers in a VULNERABILITIES.json file.

An optional Dynamic Application Security Testing (DAST) Agent enhances this by testing running applications via a provided URL, simulating exploits with Claude’s agent skills for real-world validation.

Finally, the Report Generator compiles findings into customizable formats like Markdown or JSON, including severity breakdowns critical, high, medium, low and cost summaries.

In self-tests on its own codebase, SecureVibes detected 16-17 vulnerabilities, outperforming single-agent AI (4-5 findings) and rules-based tools like Semgrep (zero findings), thanks to its contextual reasoning that reduces false positives.

Broad Language Support and Easy Integration

One of SecureVibes’ key strengths is its multilingual prowess, automatically detecting and scanning code in Python (.py), JavaScript (.js/.jsx), TypeScript (.ts/.tsx), Go (.go), Ruby (.rb), Java (.java), PHP (.php), C# (.cs), Rust (.rs), Kotlin (.kt), and Swift (.swift).

It intelligently excludes irrelevant directories such as venv/ for Python or node_modules/ for JS while handling mixed-language projects by applying combined rules, ensuring efficient scans free of noise from build artifacts and dependencies.

Installation is straightforward: users can pip install securevibes for the stable version or clone the GitHub repo for cutting-edge features, then authenticate via Claude’s CLI session or API key.

Basic usage involves running “securevibes scan .” For a complete analysis, with options like –debug for verbose agent narration, –severity high to filter issues, or –subagent code-review to run individual agents and save API costs.

For CI/CD integration, the Python API enables programmatic scans in pipelines, fails builds on critical vulnerabilities, and provides real-time progress in streaming mode.

Privacy is a priority; only relative file paths and code are sent to Anthropic, excluding secrets or absolute paths, though users should review Anthropic’s policy for sensitive scans.

Licensed under AGPL-3.0, SecureVibes fosters community contributions and evolves rapidly, with recent additions like DAST enhancements.

As AI-driven development accelerates, SecureVibes empowers developers to seamlessly embed security, turning potential risks into fortified codebases without slowing innovation.

With its agentic depth and broad compatibility, it’s a game-changer for modern cybersecurity workflows.

​